from:"CD"

Re: [zfs-discuss] [nfs-discuss] Two pools, one flop-

2010-01-18 Thread CD


On 01/18/2010 07:50 PM, Tom Haynes wrote:

CD wrote:

On 01/18/2010 06:36 PM, Tom Haynes wrote:

CD wrote:

Greetings.

I've go two pools, but can only access one of them from my 
linux-machine. Both pools got the same settings and acl.


Both pools has sharenfs=on. Also, every filesystem got 
aclinherit=passthrough

NAME  PROPERTY  VALUE SOURCE
tank  sharenfs  onlocal
bitbox  sharenfs  onlocal



Does 'zfs list' show bitbox to be at the root of the server's 
namespace?


# zfs list -o name,sharenfs,mountpoint

NAME SHARENFS  MOUNTPOINT
bitbox   on/bitbox
bitbox/fs0  on/bitbox/fs0
bitbox/fs1   on/bitbox/fs1
rpooloff   /rpool
rpool/ROOT   off   legacy
rpool/ROOT/opensolaris   off   /
rpool/ROOT/xvm   off   /mnt/xvm
rpool/ROOT/xvm-1 off   /mnt/xvm1
rpool/dump   - -
rpool/export off   /export
rpool/export/homeoff   /export/home
rpool/swap   - -
tank on/tank
tank/fs0   on/tank/fs0
tank/fs1   on/tank/fs2



Hmm, tank/fs1 is mounted on /tank/fs2. Do you also have
a /tank/fs1? I.e., the shares down below don't match
the paths.

This shouldn't be the problem you are seeing...


I must apologize; I edited the oputput to make it simpler, and made a 
typo. The fs0 and fs1 are just placeholders. The original output looks okay.






What does share show as the active shares?

# share

-...@tank  /tank   rw   ""
-...@tank  /tank/fs0   rw   ""
-...@tank  /tank/fs1   rw   ""
f...@tank/fs0 /tank/fs0   rw   ""
f...@tank/fs1   /tank/fs1   rw   ""



If you don't see bitbox here, it will be a problem.

Seems I've got a problem ^^
But what? Aren't the filesystem handling the sharing?




Yes, they should be. I'm adding zfs-discuss to see what further 
triaging will help.




Great, thanks.






I've got samba shares active for most of my filesystems - can this be 
a problem?



Same ACL:
/bitbox
drwxr--r--+ 25 root sa25 Dec 18 12:43 folder0
   group:sa:rwxpdDaARWcCos:---:allow
 owner@:rwxpdDaARWcCos:---:allow
  everyone@:r-a-R-c---:---:allow
drwxr--r--+  3 root sa 3 Jun  1  2009 folder1
   group:sa:rwxpdDaARWcCos:---:allow
 owner@:rwxpdDaARWcCos:---:allow
  everyone@:r-a-R-c---:---:allow

/tank
drwxr--r--+  4 root root   4 Sep  9 15:47 folder0
   group:sa:rwxpdDaARWcCos:---:allow
 owner@:rwxpdDaARWcCos:---:allow
  everyone@:r-a-R-c---:---:allow
drwxr--r--+  7 root sa 9 May 19  2009 folder1
   group:sa:rwxpdDaARWcCos:---:allow
 owner@:rwxpdDaARWcCos:---:allow
  everyone@:r-a-R-c---:---:allow

Yet, when I mount the nfs, only 'tank' is listed:
mount -t nfs4 srv:/ /mnt/server

If I try to mount the pools separately:
$ sudo mount -t nfs4 srv:/tank /mnt/tank/ --work perfectly
$ sudo mount -t nfs4 srv:/bitbox /mnt/bitbox --gives error:
mount.nfs4: mounting srv:/bitbox failed, reason given by server:
  No such file or directory


What if you try a v3 mount?

I assmume the prefix "-t nfs" equls v3? I get:
mount.nfs: access denied by server while mounting srv:/bitbox


You don't need "-t nfs", just dropping the -t option will work.

But the fact that we don't see a share means we do not
expect to get access here.


The /etc/dfs/sharetab only contains /tank entires, even though I've got 
both nfs and smb shares in the /bitbox pool... Not sure why.

Also







I don't get it!
Also, where are the config files, such as the /etc/export?



If this were non-zfs, you'd want to look in /etc/dfs. But since this 
is zfs, the share

(i.e., export) is in the sharenfs property of the filesystem.





Thanks!





Thanks for replying.






___
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

[zfs-discuss] Best practice for setting ACL

2010-01-25 Thread CD


Hello forum.

I'm in the process of re-organizing my server and ACL-settings.
I've seen so many different ways of doing ACL, which makes me wonder how 
I should do it myself.



This is obviously the easiest way, only describing the positive permissions:
/usr/bin/chmod -R A=\
group:sa:full_set:fd:allow,\
group:vk:read_set:fd:allow \


However, I've seen people split each line, so you getone for each 
inheritance-setting:


group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow \


And some include all negative permissions, like this:

group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:sa::f:deny,\
group:sa::d:deny,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow,\
group:vk:wxpdDAWCos:f:deny,\
group:vk:wxpdDAWCos:d:deny,\
everyone@::f:allow,\
everyone@::d:allow,\
everyone@:full_set:f:deny,\
everyone@:full_set:d:deny \

- Which, I admit, looks more tidy and thoroughly done, but is it practical?
___
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Re: [zfs-discuss] Best practice for setting ACL

2010-01-28 Thread CD


Hey, thanks for replying!

I've been accessing my server with samba, but now that I'm switching 
over to nfs, I can't seem to get the ACL right..


Basically, moving and overwriting files seems to work fine. But if I 
copy a file - either from an external source or internally on the server 
- the permissions get messed up. Either I lose permission to write to 
the file, or I lose all permissions..



My access hierarchy:
1. Master group with full access to all files on server
2. Master group with only read access to all files on server
3. Local group with rw access to only this filesystem
4. Local group with read access to only this filesystem
5. Deny everyone else


The template used on the filesystem:

group:su:full_set:f:allow,\
group:su:full_set:d:allow,\
group:su::f:deny,\
group:su::d:deny,\
group:vu:read_set:f:allow,\
group:vu:read_set:d:allow,\
group:vu:wxpdDAWCos:f:deny,\
group:vu:wxpdDAWCos:d:deny,\
group:isorw:full_set:f:allow,\
group:isorw:full_set:d:allow,\
group:isorw::f:deny,\
group:isorw::d:deny,\
group:isor:read_set:f:allow,\
group:isor:read_set:d:allow,\
group:isor:wxpdDAWCos:f:deny,\
group:isor:wxpdDAWCos:d:deny,\
everyone@::f:allow,\
everyone@::d:allow,\
everyone@:full_set:f:deny,\
everyone@:full_set:d:deny \



If I make a new file on the server, the permissions looks fine, and I 
get full access:

--+  1 1000 workers0 Jan 28 20:35 testfile
 group:su:rwxpdDaARWcCos:--I:allow
 group:su:--:--I:deny
 group:vu:r-a-R-c---:--I:allow
 group:vu:-wxpdD-A-W-Cos:--I:deny
group:isorw:rwxpdDaARWcCos:--I:allow
group:isorw:--:--I:deny
group:isor:r-a-R-c---:--I:allow
group:isor:-wxpdD-A-W-Cos:--I:deny
  everyone@:--:--I:allow
  everyone@:rwxpdDaARWcCos:--I:deny


If I make a copy of the file, however, it gets messy:
--+  1 1000 workers0 Aug 29  2022 testfile_copy
group:su:rwxp--:---:deny
 group:su:rwxpdDaARWcCos:--I:allow
 group:su:--:--I:deny
 group:vu:r-:---:deny
 group:vu:r-a-R-c---:--I:allow
 group:vu:-wxpdD-A-W-Cos:--I:deny
group:isorw:rwxp--:---:deny
group:isorw:rwxpdDaARWcCos:--I:allow
group:isorw:--:--I:deny
group:isor:r-:---:deny
group:isor:r-a-R-c---:--I:allow
group:isor:-wxpdD-A-W-Cos:--I:deny
  everyone@:--:--I:allow
  everyone@:dDaARWcCos:--I:deny
 owner@:rwxp--:---:deny
 owner@:---A-W-Co-:---:allow
 group@:rwxp--:---:deny
 group@:--:---:allow
  everyone@:rwxp---A-W-Co-:---:deny
  everyone@:--a-R-c--s:---:allow

Why does the extra entries get added? The extra entry at the top, seem 
to block me from accessing the file.


On 01/25/2010 09:18 PM, Cindy Swearingen wrote:

Hi CD,

Practical in what kind of environment? What are your goals?

Do you want the ACL deny entries to be inherited?

Do you plan to use CIFS to access these files + ACLs from
systems running Windows?

Thanks,

Cindy


On 01/25/10 07:21, CD wrote:

Hello forum.

I'm in the process of re-organizing my server and ACL-settings.
I've seen so many different ways of doing ACL, which makes me wonder 
how I should do it myself.



This is obviously the easiest way, only describing the positive 
permissions:

/usr/bin/chmod -R A=\
group:sa:full_set:fd:allow,\
group:vk:read_set:fd:allow \


However, I've seen people split each line, so you getone for each 
inheritance-setting:


group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow \


And some include all negative permissions, like this:

group:sa:full_set:f:allow,\
group:sa:full_set:d:allow,\
group:sa::f:deny,\
group:sa::d:deny,\
group:vk:read_set:f:allow,\
group:vk:read_set:d:allow,\
group:vk:wxpdDAWCos:f:deny,\
group:vk:wxpdDAWCos:d:deny,\
everyone@::f:allow,\
everyone@::d:allow,\
everyone@:full_set:f:deny,\
everyone@:full_set:d:deny \

- Which, I admit, looks more tidy and thoroughly done, but is it 
practical?

___
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss





___
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Re: [zfs-discuss] Best practice for setting ACL

2010-02-18 Thread CD

It's been a while, and finally I got the time to do some testing --

Actually I only knew about aclinherit -- which I've found is best set as 
passthrough.
Setting aclmode to passthrough, solved the issues I experienced earlier. 
Wonderful!

Thanks alot!
-- 
This message posted from opensolaris.org
___
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Re: [zfs-discuss] [nfs-discuss] Two pools, one flop-

[zfs-discuss] Best practice for setting ACL

Re: [zfs-discuss] Best practice for setting ACL

Re: [zfs-discuss] Best practice for setting ACL

4 matches

Site Navigation

Mail list logo

Footer information