zfs discuss - Sep 2009 - Which kind of ACLs does tmpfs support ?

Hi!

----

Does anyone know out-of-the-head whether tmpfs supports ACLs - and if
"yes" - which type(s) of ACLs (e.g. NFSv4/ZFS, old POSIX draft ACLs
etc.) are supported by tmpfs ?

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix
programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)

I have some vague recollection that tmpfs doesn''t support ACLs snd it 
appears to be so...

ZFS

    opensolaris% touch /var/tmp/bar
    opensolaris% chmod A=user:lp:r:deny /var/tmp/bar
    opensolaris%

TMPFS

    opensolaris% touch /tmp/bar
    opensolaris% chmod A=user:lp:r:deny /tmp/bar
    chmod: ERROR: Failed to set ACL: Operation not supported
    opensolaris%

-Norm

Roland Mainz wrote:
> Hi!
>
> ----
>
> Does anyone know out-of-the-head whether tmpfs supports ACLs - and if
> "yes" - which type(s) of ACLs (e.g. NFSv4/ZFS, old POSIX draft
ACLs
> etc.) are supported by tmpfs ?
>
> ----
>
> Bye,
> Roland
>
>

Roland Mainz wrote:
> Hi!
> 
> ----
> 
> Does anyone know out-of-the-head whether tmpfs supports ACLs - and if
> "yes" - which type(s) of ACLs (e.g. NFSv4/ZFS, old POSIX draft
ACLs
> etc.) are supported by tmpfs ?
> 
tmpfs does not support ACLs

see _PC_ACL_ENABLED in [f]pathconf(2).  You can query the file system 
for what type of ACLs it supports.
> ----
> 
> Bye,
> Roland
>

Norm Jacobs wrote:
> Roland Mainz wrote:
> > Does anyone know out-of-the-head whether tmpfs supports ACLs - and if
> > "yes" - which type(s) of ACLs (e.g. NFSv4/ZFS, old POSIX
draft ACLs
> > etc.) are supported by tmpfs ?
> 
> I have some vague recollection that tmpfs doesn''t support ACLs snd
it
> appears to be so...
Is there any RFE which requests the implementation of NFSv4-like ACLs
for tmpfs yet ?
> ZFS
> 
>     opensolaris% touch /var/tmp/bar
>     opensolaris% chmod A=user:lp:r:deny /var/tmp/bar
>     opensolaris%
> 
> TMPFS
> 
>     opensolaris% touch /tmp/bar
>     opensolaris% chmod A=user:lp:r:deny /tmp/bar
>     chmod: ERROR: Failed to set ACL: Operation not supported
>     opensolaris%
Ok... does that mean that I have to create a ZFS filesystem to actually
test ([1]) an application which modifies ZFS/NFSv4 ACLs or are there any
other options ?

[1]=The idea is to have a test module which checks whether ACL
operations work correctly, however the testing framework must only run
as normal, unpriviledged user...

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix
programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)

Interesting question takes a
few minutes to test...

http://docs.sun.com/app/docs/doc/819-2252/acl-5?l=en&a=view&q=acl%285%29+

http://docs.sun.com/app/docs/doc/819-2239/chmod-1?l=en&a=view

ZFS

[tp47565@norton:] df .

Filesystem             size   used  avail capacity  Mounted on

rpool/export/home/tp47565

                        16G   1.2G   9.7G    11%    /export/home/tp47565

[tp47565@norton:] touch file.3

[tp47565@norton:] ls -v file.3

-rw-r-----   1 tp47565  staff          0 Sep 16 15:02 file.3

     0:owner@:execute:deny

1:owner@:read_data/write_data/append_data/write_xattr/write_attributes

         /write_acl/write_owner:allow

     2:group@:write_data/append_data/execute:deny

     3:group@:read_data:allow

     4:everyone@:read_data/write_data/append_data/write_xattr/execute

         /write_attributes/write_acl/write_owner:deny

     5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow

[tp47565@norton:] chmod A+user:lp:read_data:deny file.3

[tp47565@norton:] ls -v file.3 

-rw-r-----+  1 tp47565  staff          0 Sep 16 15:02 file.3

     0:user:lp:read_data:deny

     1:owner@:execute:deny

2:owner@:read_data/write_data/append_data/write_xattr/write_attributes

         /write_acl/write_owner:allow

     3:group@:write_data/append_data/execute:deny

     4:group@:read_data:allow

     5:everyone@:read_data/write_data/append_data/write_xattr/execute

         /write_attributes/write_acl/write_owner:deny

     6:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow

[tp47565@norton:] 

Let''s try the new ACLs on tmpfs

[tp47565@norton:] cd /tmp

[tp47565@norton:] df .

Filesystem             size   used  avail capacity  Mounted on

swap                   528M    12K   528M     1%    /tmp

[tp47565@norton:] grep swap /etc/vfstab 

swap        -        /tmp        tmpfs    -    yes    -

/dev/zvol/dsk/rpool/swap    -        -        swap    -    no    -

[tp47565@norton:] 

[tp47565@norton:] touch file.3

[tp47565@norton:] ls -v file.3

-rw-r-----   1 tp47565  staff          0 Sep 16 14:58 file.3

     0:user::rw-

     1:group::r--        #effective:r--

     2:mask:rwx

     3:other:---

[tp47565@norton:] 

[tp47565@norton:] chmod A+user:lp:read_data:deny file.3

chmod: ERROR: ACL type''s are different

[tp47565@norton:] 

So tmpfs does not
support the new ACLs

Do I have to do the
old way as well?

Roland Mainz wrote:

Hi!

----

Does anyone know out-of-the-head whether tmpfs supports ACLs - and if
"yes" - which type(s) of ACLs (e.g. NFSv4/ZFS, old POSIX draft ACLs
etc.) are supported by tmpfs ?

----

Bye,
Roland

-- 

Trevor
Pretty |
Technical Account Manager
|
+64
9 639 0652 |
+64
21 666 161

Eagle
Technology Group Ltd. 

Gate
D, Alexandra Park, Greenlane West, Epsom

Private Bag 93211,
Parnell, Auckland

www.eagle.co.nz 

This email is confidential and may be legally 
privileged. If received in error please destroy and immediately notify 
us.


_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Roland Mainz wrote:
> Norm Jacobs wrote:
>   
>> Roland Mainz wrote:
>>     
>>> Does anyone know out-of-the-head whether tmpfs supports ACLs - and
if
>>> "yes" - which type(s) of ACLs (e.g. NFSv4/ZFS, old POSIX
draft ACLs
>>> etc.) are supported by tmpfs ?
>>>       
>> I have some vague recollection that tmpfs doesn''t support ACLs
snd it
>> appears to be so...
>>     
>
> Is there any RFE which requests the implementation of NFSv4-like ACLs
> for tmpfs yet ?
>
>   
>> ZFS
>>
>>     opensolaris% touch /var/tmp/bar
>>     opensolaris% chmod A=user:lp:r:deny /var/tmp/bar
>>     opensolaris%
>>
>> TMPFS
>>
>>     opensolaris% touch /tmp/bar
>>     opensolaris% chmod A=user:lp:r:deny /tmp/bar
>>     chmod: ERROR: Failed to set ACL: Operation not supported
>>     opensolaris%
>>     
>
> Ok... does that mean that I have to create a ZFS filesystem to actually
> test ([1]) an application which modifies ZFS/NFSv4 ACLs or are there any
> other options ?
Use function interposition.  I am currently updating an ACL manipulation 
application and I use mocks for the acl get/set functions.

-- 
Ian.

Ian Collins wrote:
> Roland Mainz wrote:
> > Norm Jacobs wrote:
> >> Roland Mainz wrote:
> >>> Does anyone know out-of-the-head whether tmpfs supports ACLs -
and if
> >>> "yes" - which type(s) of ACLs (e.g. NFSv4/ZFS, old
POSIX draft ACLs
> >>> etc.) are supported by tmpfs ?
> >>>
> >> I have some vague recollection that tmpfs doesn''t support
ACLs snd it
> >> appears to be so...
> >
> > Is there any RFE which requests the implementation of NFSv4-like ACLs
> > for tmpfs yet ?
> >
> >> ZFS
> >>
> >>     opensolaris% touch /var/tmp/bar
> >>     opensolaris% chmod A=user:lp:r:deny /var/tmp/bar
> >>     opensolaris%
> >>
> >> TMPFS
> >>
> >>     opensolaris% touch /tmp/bar
> >>     opensolaris% chmod A=user:lp:r:deny /tmp/bar
> >>     chmod: ERROR: Failed to set ACL: Operation not supported
> >>     opensolaris%
> >>
> >
> > Ok... does that mean that I have to create a ZFS filesystem to
actually
> > test ([1]) an application which modifies ZFS/NFSv4 ACLs or are there
any
> > other options ?
> Use function interposition.
Umpf... the matching code is linked with -Bdirect ... AFAIK I can''t
interpose library functions linked with this option, right ?

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix
programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)

Roland Mainz wrote:
> Ian Collins wrote:
>   
>> Roland Mainz wrote:
>>     
>>> Norm Jacobs wrote:
>>>       
>>>> Roland Mainz wrote:
>>>>         
>>>>> Does anyone know out-of-the-head whether tmpfs supports
ACLs - and if
>>>>> "yes" - which type(s) of ACLs (e.g. NFSv4/ZFS,
old POSIX draft ACLs
>>>>> etc.) are supported by tmpfs ?
>>>>>
>>>>>           
>>>> I have some vague recollection that tmpfs doesn''t
support ACLs snd it
>>>> appears to be so...
>>>>         
>>> Is there any RFE which requests the implementation of NFSv4-like
ACLs
>>> for tmpfs yet ?
>>>
>>>       
>>>> ZFS
>>>>
>>>>     opensolaris% touch /var/tmp/bar
>>>>     opensolaris% chmod A=user:lp:r:deny /var/tmp/bar
>>>>     opensolaris%
>>>>
>>>> TMPFS
>>>>
>>>>     opensolaris% touch /tmp/bar
>>>>     opensolaris% chmod A=user:lp:r:deny /tmp/bar
>>>>     chmod: ERROR: Failed to set ACL: Operation not supported
>>>>     opensolaris%
>>>>
>>>>         
>>> Ok... does that mean that I have to create a ZFS filesystem to
actually
>>> test ([1]) an application which modifies ZFS/NFSv4 ACLs or are
there any
>>> other options ?
>>>       
>> Use function interposition.
>>     
>
> Umpf... the matching code is linked with -Bdirect ... AFAIK I
can''t
> interpose library functions linked with this option, right ?
>
>   
I never build test harnesses with explicit ld options (I use the C or 
C++ compiler for linking).

There is a note about interposition in the ld man page description of -B.

-- 
Ian.

Roland Mainz wrote:
> Ok... does that mean that I have to create a ZFS filesystem to actually
> test ([1]) an application which modifies ZFS/NFSv4 ACLs or are there any
> other options ?
By all means, test with ZFS.  But it''s easy to do that:

# mkfile 64m /zpool.file
# zpool create test /zpool.file
# zfs list
test                       67.5K  27.4M    18K  /test

Rob T

Robert Thurlow wrote:
> Roland Mainz wrote:
> 
> > Ok... does that mean that I have to create a ZFS filesystem to
actually
> > test ([1]) an application which modifies ZFS/NFSv4 ACLs or are there
any
> > other options ?
> 
> By all means, test with ZFS.  But it''s easy to do that:
> 
> # mkfile 64m /zpool.file
> # zpool create test /zpool.file
> # zfs list
> test                       67.5K  27.4M    18K  /test
I know... but AFAIK this requires "root" priviledges which the test
suite won''t have...

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix
programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)

Roland Mainz wrote:
> Umpf... the matching code is linked with -Bdirect ... AFAIK I
can''t
> interpose library functions linked with this option, right ?
> 
You could set LD_NODIRECT to defeat direct bindings --- see ld.so.1(1).
However, I agree with the thought that it would be easier to just
have a ZFS filesystem to test against.

- Ali

Roland Mainz wrote:
> Robert Thurlow wrote:
>> Roland Mainz wrote:
>>
>>> Ok... does that mean that I have to create a ZFS filesystem to
actually
>>> test ([1]) an application which modifies ZFS/NFSv4 ACLs or are
there any
>>> other options ?
>> By all means, test with ZFS.  But it''s easy to do that:
>>
>> # mkfile 64m /zpool.file
>> # zpool create test /zpool.file
>> # zfs list
>> test                       67.5K  27.4M    18K  /test
> 
> I know... but AFAIK this requires "root" priviledges which the
test
> suite won''t have...
If the test suite is going to be running on nv_128 or later, then
you are guaranteed to have a zfs filesystem, since root must be
zfs then (since the only install method will be IPS, which requires
zfs root).   Until then you could just document to run it on a
system with a zfs filesystem available.

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering

Roland Mainz wrote:
> Robert Thurlow wrote:
>   
>> Roland Mainz wrote:
>>
>>     
>>> Ok... does that mean that I have to create a ZFS filesystem to
actually
>>> test ([1]) an application which modifies ZFS/NFSv4 ACLs or are
there any
>>> other options ?
>>>       
>> By all means, test with ZFS.  But it''s easy to do that:
>>
>> # mkfile 64m /zpool.file
>> # zpool create test /zpool.file
>> # zfs list
>> test                       67.5K  27.4M    18K  /test
>>     
>
> I know... but AFAIK this requires "root" priviledges which the
test
> suite won''t have...
>
> ----
>
> Bye,
> Roland
>
>   
You can delegate the ability to create ZFS filesystems.

       -Norm

Roland Mainz wrote:
> Robert Thurlow wrote:
>   
>> Roland Mainz wrote:
>>
>>     
>>> Ok... does that mean that I have to create a ZFS filesystem to
actually
>>> test ([1]) an application which modifies ZFS/NFSv4 ACLs or are
there any
>>> other options ?
>>>       
>> By all means, test with ZFS.  But it''s easy to do that:
>>
>> # mkfile 64m /zpool.file
>> # zpool create test /zpool.file
>> # zfs list
>> test                       67.5K  27.4M    18K  /test
>>     
>
> I know... but AFAIK this requires "root" priviledges which the
test
> suite won''t have...
>   
It is also more difficult to test error conditions. 

Unless you really have to, don''t use fancy link options for a test 
harness so you can easily interpose (or simply define) mock library 
calls.  If you stick with regular dynamic linking, you can simply define 
your mock/stub library functions in your test code.  Easy.

-- 
Ian.

Alan Coopersmith <Alan.Coopersmith at Sun.COM> wrote:
> If the test suite is going to be running on nv_128 or later, then
> you are guaranteed to have a zfs filesystem, since root must be
> zfs then (since the only install method will be IPS, which requires
> zfs root).   Until then you could just document to run it on a
> system with a zfs filesystem available.
Are you kidding?

An installer that depends on the availability of a specific root filesystem
is based on a design bug.

What is the reason? Is there still no pkgrm command in IPS?
If Yes, then it is obvious that IPS is not yet ready for production use.

J?rg

-- 
 EMail:joerg at schily.isdn.cs.tu-berlin.de (home) J?rg Schilling D-13353 Berlin
       js at cs.tu-berlin.de                (uni)  
       joerg.schilling at fokus.fraunhofer.de (work) Blog:
http://schily.blogspot.com/
 URL:  http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily

Joerg Schilling wrote:
> Alan Coopersmith <Alan.Coopersmith at Sun.COM> wrote:
> 
>> If the test suite is going to be running on nv_128 or later, then
>> you are guaranteed to have a zfs filesystem, since root must be
>> zfs then (since the only install method will be IPS, which requires
>> zfs root).   Until then you could just document to run it on a
>> system with a zfs filesystem available.
> 
> Are you kidding?
pkg will install just fine onto other filesystems eg:

$ pkg image-create -a opensolaris.org=http://pkg.opensolaris.org/dev 
/tmp/darrenm/myimage
$ pkg -R /tmp/darrenm/myimage install SUNWmkcd

/tmp is tmpfs on this sytem and note that the prompt is $ not # pkg 
doesn''t even require you be root.

Whats more pkg isn''t even specific to Solaris it works on other UNIX 
like systems and even on Windows.  So it is clearly false that it 
requires ZFS since that doesn''t even exist on all the other platforms.

Don''t confuse the decisions made for the OpenSolaris 2009.06 releases
of
only supporting and allowing install to ZFS root with the capabilities 
of the package system.
> An installer that depends on the availability of a specific root filesystem
> is based on a design bug.
> What is the reason? Is there still no pkgrm command in IPS?
> If Yes, then it is obvious that IPS is not yet ready for production use.
See the man page for pkg:

         pkg uninstall [-nrvq] [--no-index] package...

If you want to discuss pkg capabilities more please continue this 
discussion on pkg-discuss at opensolaris.org where the pkg experts will be 
happy to engage.

-- 
Darren J Moffat

Joerg Schilling wrote:
> Alan Coopersmith <Alan.Coopersmith at Sun.COM> wrote:
> 
>> If the test suite is going to be running on nv_128 or later, then
>> you are guaranteed to have a zfs filesystem, since root must be
>> zfs then (since the only install method will be IPS, which requires
>> zfs root).   Until then you could just document to run it on a
>> system with a zfs filesystem available.
> 
> Are you kidding?
No, though as Darren clarified, it''s the IPS-based installers and pkg
image-update mechanism that rely on ZFS, since boot environments are
managed using ZFS snapshots/clones, much as Live Upgrade does on ZFS systems.
> An installer that depends on the availability of a specific root filesystem
> is based on a design bug.
The installer used in Solaris 2.0 through the original release of 10 required
UFS as the root filesystem - that wasn''t a design bug, just the way it
was
designed.
> Is there still no pkgrm command in IPS?
pkgrm is the command for SVR4 packages.   pkg uninstall is the IPS
equivalent and has of course been there since the first public release
of IPS.   Perhaps you should try using IPS before telling the world
how broken your understanding of it is.

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering

On Wed, September 16, 2009 09:29, Alan Coopersmith wrote:
> The installer used in Solaris 2.0 through the original release of 10
> required
> UFS as the root filesystem - that wasn''t a design bug, just the
way it was
> designed.
If there are multiple filesystems available, an installer that forces root
to be one specific one of them is suboptimal.  "Design bug" is a bit
too
absolute; sometimes it''s quite hard, sometimes the number of people who
might reasonably want anything but one of the choices is very small, etc.

In the current case, the use of snapshots to handle keeping boot
environments straight is just so elegant, it makes some sense to me to
have an installation approach that requires it.  If future filesystems
also support snapshots, then it''ll start to look more like a bug again
if
the installer forces you to use one specific one.

-- 
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info