Bug #59394
openACLs not fully supported.
Added by Brian Woods about 1 year ago. Updated 13 days ago.
0%
Description
Attempting to set the default user or group on a CephFS volume returns an error:
setfacl -dRm u:user:rwX,g:group:rwX /CephFS
Returns this for all sub-folders:
setfacl /CephFS/Folder1 "Operation not supported"
Running version 17.2.5.
Files
Screenshot from 2023-05-09 12-43-50.png (57.4 KB) Screenshot from 2023-05-09 12-43-50.png | Brian Woods, 05/09/2023 07:44 PM | ||
MDS-Small3.log (69.4 KB) MDS-Small3.log | Brian Woods, 05/09/2023 07:47 PM |
Updated by Venky Shankar about 1 year ago
- Category set to Correctness/Safety
- Assignee set to Milind Changire
- Target version set to v19.0.0
- Backport set to pacific,quincy
- Component(FS) Client, MDS added
Updated by Milind Changire about 1 year ago
- Should /CephFS be assumed as the mount point on the host system at which the cephfs is mounted ?
- What was the UID of the user running the setfacl command ?
Updated by Brian Woods about 1 year ago
The paths given where for illustration only. Exact paths are something closer to:
/CephFS/Pool-ErasurePool/MediaStore/UserName
And so the error are closer to:
setfacl: /CephFS/Pool-ErasurePool/MediaStore/UserName/Documents: Operation not supported
The user executing the command is root (so 0).
I asked on Discord, and at least one user WAS able to execute the command on their system, so it may be something unique to my environment.
This is a cephadm deployment of 17.2.5 on Ubuntu 20.04.5 LTS.
Updated by Brian Woods about 1 year ago
With the root mount point being /CephFS.
I do have several folders with specific EC and replication pools (hence Pool-ErasurePool in the path).
Not sure if that is relevant, but stating it just in case.
Updated by Milind Changire about 1 year ago
Brian,
Could you share the MDS debug logs for this specific operation.
It'll help us identify the failure point.
Just raise the mds debug level to 20 before the setfacl and drop it to the required level after the command finishes.
Updated by Brian Woods about 1 year ago
Milind Changire wrote:
Brian,
Could you share the MDS debug logs for this specific operation.
It'll help us identify the failure point.Just raise the mds debug level to 20 before the setfacl and drop it to the required level after the command finishes.
So, I am having a hard time trying to set that... Missing something simple.
I see these in the GUI:
mds_debug_auth_pins mds_debug_frag mds_debug_scatterstat mds_debug_subtrees
And attempting to get the config from CLI I get this:
# ceph daemon mds.### config show | grep debug | grep level "debug_leveldb": "4/5", "mon_cluster_log_file_level": "debug",
And both of these:
ceph daemon mds.### config set mds_debug_level "20" ceph daemon mds.### config set mds_debug "20"
Result in:
ERROR: (2) No such file or directory error getting 'mds_debug': (2) No such file or directory
What am I missing... :(
Updated by Milind Changire about 1 year ago
Brian,
The command you are using is correct.
However, the config key is incorrect.
Set debug_mds to 20 for all mds daemons.
FYI - https://docs.ceph.com/en/latest/rados/troubleshooting/log-and-debug/
Check the section "SUBSYSTEM, LOG AND DEBUG SETTINGS" for the different ceph subsystems that you can request logs for.
Updated by Brian Woods about 1 year ago
Milind Changire wrote:
Brian,
The command you are using is correct.
However, the config key is incorrect.
Set debug_mds to 20 for all mds daemons.FYI - https://docs.ceph.com/en/latest/rados/troubleshooting/log-and-debug/
Check the section "SUBSYSTEM, LOG AND DEBUG SETTINGS" for the different ceph subsystems that you can request logs for.
Testing 1 2 3... Tacker is not letting me post.
Updated by Brian Woods about 1 year ago
- File MDS-Small3.log MDS-Small3.log added
Milind Changire wrote:
Brian,
The command you are using is correct.
However, the config key is incorrect.
Set debug_mds to 20 for all mds daemons.FYI - https://docs.ceph.com/en/latest/rados/troubleshooting/log-and-debug/
Check the section "SUBSYSTEM, LOG AND DEBUG SETTINGS" for the different ceph subsystems that you can request logs for.
NOTE:
So there is some sort of a bug in the tracker that is preventing me from posting the log in-line (see attached screen shot in the last comment), so I have attached them as a file this time.
Sorry for the long delay, I was on vacation for a while...
I did that and it was of course extremely large, even for just a few seconds of activity (over a GB), and had a lot of sensitive data in it.
But I think I have narrowed down the time window to a single attempted change (/Pool-ErasurePool/MediaStore/UserName/ and maybe part of /Pool-ErasurePool/MediaStore/UserName/USB-Drive/), and scrubbed anything sensitive (FYI, target user and group IDs are 11002:12101).
Updated by Milind Changire about 1 year ago
Brian,
Have you read up these docs about turning on ACLs ?
Updated by Patrick Donnelly 13 days ago
- Target version changed from v19.0.0 to v20.0.0