we recently started to look at a ZFS based solution as a possible
replacement for our DCE/DFS based campus filesystem (yes, this is
still in production here). The ACL model of the combination
OpenSolaris+ZFS+in-kernel-CIFS+NFSv4 looks like a really
promising setup, something which could place it high
up on our list ...
So we had our test system installed (build 133) and were happily
manipulating ACLs from Windows and also from our standard Debian
client using the Linux nfsv4 utilities ... transparently! We
were impressed ... until an applicaton issued a chmod and destroyed
the ACL.
We then of course found Paul Henson''s proposal for aclmode ignore
and deny values
[http://mail.opensolaris.org/pipermail/zfs-discuss/2010/February/037206.html]
and the ZFS ACL thread he started in
http://mail.opensolaris.org/pipermail/zfs-discuss/2010-February/037863.html
.
So from this site: we very much support the idea of adding ignore
and deny values for the aclmode property!
However, reading PSARC/2010/029, it looks like we will get
aclmode=discard for everybody and the property removed.
I hope this is not the end of the story ...
- Ralf
--
Ralf Utermann
_____________________________________________________________________
Universit?t Augsburg, Institut f?r Physik -- EDV-Betreuer
Universit?tsstr.1
D-86135 Augsburg Phone: +49-821-598-3231
SMTP: Ralf.Utermann at Physik.Uni-Augsburg.DE Fax: -3411
On 6-3-2010 18:41, Ralf Utermann wrote:> So from this site: we very much support the idea of adding ignore > and deny values for the aclmode property! > > However, reading PSARC/2010/029, it looks like we will get > aclmode=discard for everybody and the property removed. > I hope this is not the end of the story ...+1 Carefully constructed ACL''s should -never- be destroyed by an (unwanted/unexpected) chmod. Extra aclmode properties should not be so hard to implement. -- Dick Hoogendijk -- PGP/GnuPG key: 01D2433D + http://nagual.nl/ | OpenSolaris 2010.03 b131 + All that''s really worth doing is what we do for others (Lewis Carrol)
On Sat, 6 Mar 2010, Ralf Utermann wrote:> we recently started to look at a ZFS based solution as a possible > replacement for our DCE/DFS based campus filesystem (yes, this is still > in production here).Hey, a fellow DFS shop :)... We finally migrated the last production files off of DFS last month, I''m actually going to pull the plug on the infrastructure within a couple of weeks. It will be nice not to have to worry that software that''s been unsupported for years will go blooey :(.> The ACL model of the combination OpenSolaris+ZFS+in-kernel-CIFS+NFSv4 > looks like a really promising setup, something which could place it high > up on our list ...Indeed, while we''re currently running S10 with samba (our development started before OpenSolaris support was announced; we''re hoping to migrate sometime this year), Solaris/ZFS was the best option we could find to replace our DFS infrastructure. The main thing I miss is the location independence and ability to migrate data between servers while it''s in use. Other than this annoying chmod/ACL issue, our only other major problem is lack of scalability in NFS sharing, it takes a good 45 minutes to share/unshare the 8000 filesystems on each of our X4500''s (we have 5), resulting in about a 2 hour reboot cycle :(. There''s an open bug on it, but they say it will never be addressed in Solaris 10, but hopefully someday in OpenSolaris.> So from this site: we very much support the idea of adding ignore and > deny values for the aclmode property!If you have a Sun support contract, open a support call and ask to be added to SR #72456444, which is the case I have open to try and get a better solution to chmod/ACL interaction. If you''re thinking of spending a lot of money on Sun hardware, bring this issue up to your sales guy and push for a solution. I think part of the problem is very few sites actually use ACLs, particularly to the extent people coming from a DFS background are used to :(.> However, reading PSARC/2010/029, it looks like we will get > aclmode=discard for everybody and the property removed. I hope this is > not the end of the story ...As do I, but so far it''s not looking too good. I discussed my proposal with Mark Shellenbaum (the author of that PSARC case), and he was pretty strongly against it. I thought I made some rather good points, but as I''m sure you saw from the threads you referenced there are quite strong opinions on both sides. He seems to be Sun''s main guy when it comes to ACL''s; if he was on board it would be a lot more likely to happen, but I never heard back from him on my counter response to his initial reply detailing his reasons he thought it was a bad idea, and he was conspicuously absent during the recent list free-for-all... As I''ve offered before, I''ll implement it if they''ll merge it... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768
Paul B. Henson schrieb:> On Sat, 6 Mar 2010, Ralf Utermann wrote: > >> we recently started to look at a ZFS based solution as a possible >> replacement for our DCE/DFS based campus filesystem (yes, this is still >> in production here). > > Hey, a fellow DFS shop :)... We finally migrated the last production files > off of DFS last month, I''m actually going to pull the plug on the > infrastructure within a couple of weeks. It will be nice not to have to > worry that software that''s been unsupported for years will go blooey :(. >it will take same time until we can pull the plug here :( At least, it''s stable, though unsupported; some parts still running on F50''s ... [...]> If you have a Sun support contract, open a support call and ask to be added > to SR #72456444, which is the case I have open to try and get a betterI will try over our StorageTeks.> solution to chmod/ACL interaction. If you''re thinking of spending a lot of > money on Sun hardware, bring this issue up to your sales guy and push for a > solution. I think part of the problem is very few sites actually use ACLs, > particularly to the extent people coming from a DFS background are used to > :(. >Sure, we will make this point. -- Ralf Utermann _____________________________________________________________________ Universit?t Augsburg, Institut f?r Physik -- EDV-Betreuer Universit?tsstr.1 D-86135 Augsburg Phone: +49-821-598-3231 SMTP: Ralf.Utermann at Physik.Uni-Augsburg.DE Fax: -3411
On Sat, 6 Mar 2010, Paul B. Henson wrote:> If you have a Sun support contract, open a support call and ask to be added > to SR #72456444, which is the case I have open to try and get a better > solution to chmod/ACL interaction.CR#6933018 has been created for this issue; for any interested parties who''d like to track it... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768