Project

General

Profile

Actions

Bug #59394

open

ACLs not fully supported.

Added by Brian Woods about 1 year ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Category:
Correctness/Safety
Target version:
% Done:

0%

Source:
Tags:
Backport:
pacific,quincy
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
Client, MDS
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Attempting to set the default user or group on a CephFS volume returns an error:

setfacl -dRm u:user:rwX,g:group:rwX /CephFS

Returns this for all sub-folders:
setfacl /CephFS/Folder1 "Operation not supported"

Running version 17.2.5.


Files

Screenshot from 2023-05-09 12-43-50.png (57.4 KB) Screenshot from 2023-05-09 12-43-50.png Brian Woods, 05/09/2023 07:44 PM
MDS-Small3.log (69.4 KB) MDS-Small3.log Brian Woods, 05/09/2023 07:47 PM
Actions #1

Updated by Venky Shankar 12 months ago

  • Category set to Correctness/Safety
  • Assignee set to Milind Changire
  • Target version set to v19.0.0
  • Backport set to pacific,quincy
  • Component(FS) Client, MDS added
Actions #2

Updated by Milind Changire 12 months ago

Brian,
  • Should /CephFS be assumed as the mount point on the host system at which the cephfs is mounted ?
  • What was the UID of the user running the setfacl command ?
Actions #3

Updated by Brian Woods 12 months ago

The paths given where for illustration only. Exact paths are something closer to:

/CephFS/Pool-ErasurePool/MediaStore/UserName

And so the error are closer to:

setfacl: /CephFS/Pool-ErasurePool/MediaStore/UserName/Documents: Operation not supported

The user executing the command is root (so 0).

I asked on Discord, and at least one user WAS able to execute the command on their system, so it may be something unique to my environment.

This is a cephadm deployment of 17.2.5 on Ubuntu 20.04.5 LTS.

Actions #4

Updated by Brian Woods 12 months ago

With the root mount point being /CephFS.

I do have several folders with specific EC and replication pools (hence Pool-ErasurePool in the path).

Not sure if that is relevant, but stating it just in case.

Actions #5

Updated by Milind Changire 12 months ago

Brian,
Could you share the MDS debug logs for this specific operation.
It'll help us identify the failure point.

Just raise the mds debug level to 20 before the setfacl and drop it to the required level after the command finishes.

Actions #6

Updated by Brian Woods 12 months ago

Milind Changire wrote:

Brian,
Could you share the MDS debug logs for this specific operation.
It'll help us identify the failure point.

Just raise the mds debug level to 20 before the setfacl and drop it to the required level after the command finishes.

So, I am having a hard time trying to set that... Missing something simple.

I see these in the GUI:

mds_debug_auth_pins
mds_debug_frag
mds_debug_scatterstat
mds_debug_subtrees

And attempting to get the config from CLI I get this:

# ceph daemon mds.### config show | grep debug | grep level
    "debug_leveldb": "4/5",
    "mon_cluster_log_file_level": "debug",

And both of these:

ceph daemon mds.### config set mds_debug_level "20" 
ceph daemon mds.### config set mds_debug "20" 

Result in:

ERROR: (2) No such file or directory
error getting 'mds_debug': (2) No such file or directory

What am I missing... :(

Actions #7

Updated by Milind Changire 12 months ago

Brian,
The command you are using is correct.
However, the config key is incorrect.
Set debug_mds to 20 for all mds daemons.

FYI - https://docs.ceph.com/en/latest/rados/troubleshooting/log-and-debug/
Check the section "SUBSYSTEM, LOG AND DEBUG SETTINGS" for the different ceph subsystems that you can request logs for.

Actions #8

Updated by Brian Woods 11 months ago

Milind Changire wrote:

Brian,
The command you are using is correct.
However, the config key is incorrect.
Set debug_mds to 20 for all mds daemons.

FYI - https://docs.ceph.com/en/latest/rados/troubleshooting/log-and-debug/
Check the section "SUBSYSTEM, LOG AND DEBUG SETTINGS" for the different ceph subsystems that you can request logs for.

Testing 1 2 3... Tacker is not letting me post.

Actions #9

Updated by Brian Woods 11 months ago

Milind Changire wrote:

Brian,
The command you are using is correct.
However, the config key is incorrect.
Set debug_mds to 20 for all mds daemons.

FYI - https://docs.ceph.com/en/latest/rados/troubleshooting/log-and-debug/
Check the section "SUBSYSTEM, LOG AND DEBUG SETTINGS" for the different ceph subsystems that you can request logs for.

NOTE:
So there is some sort of a bug in the tracker that is preventing me from posting the log in-line (see attached screen shot in the last comment), so I have attached them as a file this time.

Sorry for the long delay, I was on vacation for a while...

I did that and it was of course extremely large, even for just a few seconds of activity (over a GB), and had a lot of sensitive data in it.

But I think I have narrowed down the time window to a single attempted change (/Pool-ErasurePool/MediaStore/UserName/ and maybe part of /Pool-ErasurePool/MediaStore/UserName/USB-Drive/), and scrubbed anything sensitive (FYI, target user and group IDs are 11002:12101).

Actions #10

Updated by Milind Changire 11 months ago

Brian,
Have you read up these docs about turning on ACLs ?

Actions

Also available in: Atom PDF