rsync or cp creates trivial ACLs on the destination

Discussion in 'Solaris, Nexenta, OpenIndiana, and napp-it' started by daisho, Nov 21, 2019.

  1. daisho

    daisho New Member

    Joined:
    Apr 25, 2019
    Messages:
    20
    Likes Received:
    1
    Is there a way to suppress this?

    I mean so far as I see these (almost full rights for owner@, read_attr_set for group@ and everyone@) they will not really hamper with anything but with a bit of OCD that looks horrible in my neat designed group-based ACLs. Copying data onto the folders via SMB/Windows does not do that and just inherits what is configured in the parent folder.
    (those trivial ACLs are not defined in the parent folder from where I copy or sync ...)

    Reason is I wanted to copy all my stuff from one pool to another (some TB, so it would take some time for sure) and doing that via ZFS > Network > Workstation > Network > ZFS is kinda dumb, so I wanted to use something like rsync for that directly on the server.
     
    #1
  2. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,273
    Likes Received:
    752
    If you want to copy files with ntfs4 ACL intact, you must use tools that are ntfs4 aware like /usr/bin/cp -p, tar or cpio. Rsync is not ntfs4 acl aware. With rsync you loose ntfs4 acls.
     
    #2
    Evan likes this.
  3. daisho

    daisho New Member

    Joined:
    Apr 25, 2019
    Messages:
    20
    Likes Received:
    1
    I saw in the options info of rsync that it also has parameters to preserve ACL, but the thing is I don't want to actually "preserve" the old ACLs because they are a mess and the new pool has nice pre-configured group access rights that I can assign to whoever user I create afterwards.

    Currently I am copying via windows explorer from the workstation, unnecessarily slow - but it only adds the ACLs already in place by inheritance.
     
    #3
  4. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,273
    Likes Received:
    752
    #4
    Evan likes this.
  5. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,867
    Likes Received:
    431
    I learnt something I had no idea about from @gea just now. That could be an easy mistake to make. Rsync is one of my go to tools. (Granted I don’t deal with file shares on daily basis and I assume those who do know these things already)
     
    #5
  6. daisho

    daisho New Member

    Joined:
    Apr 25, 2019
    Messages:
    20
    Likes Received:
    1
    I also for the first time now learned about the inheritance-methods (pass-through, restricted, ...). I always saw it when checking my pools on the far right but never really gave it any notice.

    For now I just copied all the data via my windows workstation as also cp tool did create those default ACLs. But maybe that's just because those are default ACLs always written when working on ZFS itself!? Anyway, as I didn't know any other tool to copy/sync files directly and had no time to investigate (old pool was already degraded and didn't want to buy a new disc) I just did it that way for now.

    In general, working with ZFS ACL and file ownership is not the simplest thing in life in my opinion. At least napp-it has a quiet ok GUI for the most part for this, as doing everything on command line is rather horrible.
    The only thing I miss in napp-it GUI is to set or delete ACLs recursively if files are already existing - that would help tremendously in a lot of cases.
     
    #6
  7. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,273
    Likes Received:
    752
    You can recursively modify ACL either from Windows (ex as user root) or napp-it when you click on Filesystems > Folder ACL of a filesystem. Below the ACL listing there is an option "reset ACL" (with recursive as an option)
     
    #7
  8. daisho

    daisho New Member

    Joined:
    Apr 25, 2019
    Messages:
    20
    Likes Received:
    1
    Oh well, shame on me. Didn't know that the reset does that (guessed it would reset to some default values). That is very handy to have!
     
    #8
  9. daisho

    daisho New Member

    Joined:
    Apr 25, 2019
    Messages:
    20
    Likes Received:
    1
    Hi,

    I am working on a pretty new pool, ACL inherit/mode are passthrough/passthrough.

    I set up the main folder with the ACL settings I wanted, then clicked on "rest ACL's", made sure "current folder" is selected in the drop-down, checked "recursive" option.
    But instead of every sub-folder getting these new configured ACL settings, everything ended up with default permissions (owner@, group@, everyone@).

    The ACL reset log just says:
    initiate reset 10.12.2019, 08:49 56 s current-folder recursiv: /repository/nfs/Myfolder

    Initial ACL settings configured by me usually looks like:
    ACL User/ Group acl acl-set details inheritance type option

    0 user:root rwxpdDaARWcCos full_set rd(acl,att,xatt) wr(acl,att,xatt,own) add(fi,sdir) del(yes,child) x, s file,dir,inherited allow delete
    1 user:share rwxpdDaARWcCos full_set rd(acl,att,xatt) wr(acl,att,xatt,own) add(fi,sdir) del(yes,child) x, s file,dir,inherited allow delete
    2 group:rdjosk r-x---a-R-c--s readxs_set rd(acl,att,xatt) x, s file,dir allow delete
    3 group:wrjosk rwxpdDaARWc--s modify_set rd(acl,att,xatt) wr(att,xatt) add(fi,sdir) del(yes,child) x, s file,dir allow delete

    Which I then want to propagate to all sub-folders (which works when copying files over via Windows share).
     
    #9
  10. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,273
    Likes Received:
    752
    When you reset acl recursively to "current folder" you should see a message with the chmod commands like (current folder=b1/test in this example, user a and smb group test)

    Code:
    /usr/bin/chmod -Rf A=user:root:rwxpdDaARWcCos:fd-----:allow '/b1/test/a'
    /usr/bin/chmod -Rf A1+user:a:rwxpdDaARWcCos:fd-----:allow '/b1/test/a'
    /usr/bin/chmod -Rf A2+group:test:r-x---a-R-c--s:fd-----:allow '/b1/test/a' 
    A default permission set is the result of an ACL remove

    btw.
    Does the reset ACL works from Windows (SMB connect as root, set acl recursively)?
     
    #10
  11. daisho

    daisho New Member

    Joined:
    Apr 25, 2019
    Messages:
    20
    Likes Received:
    1
    The page which updates after pressing ok shows indeed:
    ACL_reset: initiate reset operation

    /usr/bin/chmod -Rf A=user:root:rwxpdDaARWcCos:fd-----:allow '/repository/nfs/Keksi'

    But doesn't update further.
    After this try I saw that there was a root full permission afterwards (no default permissions).
    So could it be that napp-it first removes all permissions and then add them as they are configured by the folder one by one (and it didn't finish for some reason)?

    Does the command stop if you are logged out of the web session or should it continue in the background (btw, is it possible to set a different web session timeout)?

    I fixed it for now by using windows share, but not sure if it works correctly using napp-it (19.06f I think)?
     
    #11
  12. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,273
    Likes Received:
    752
    The "reset acl" is a foreground task.
    Can you try Chrome? I have seen problems with Firefox on some longer running tasks. CGI timeout should not be a problem.
     
    #12
Similar Threads: rsync creates
Forum Title Date
Solaris, Nexenta, OpenIndiana, and napp-it SSH tunnels crippeling slow under OmniOS? scp/rsync Mar 19, 2016
Solaris, Nexenta, OpenIndiana, and napp-it mkdir in .zfs/snapshot creates a snapshot? Apr 29, 2012

Share This Page